|
1 | | -use std::sync::Arc; |
| 1 | +use std::io::{Read, Write}; |
| 2 | +use std::sync::{Arc, OnceLock}; |
2 | 3 |
|
3 | | -use rustls::ClientConfig as RusTlsClientConfig; |
4 | | -use rustls::ServerConfig as RusTlsServerConfig; |
5 | | - |
6 | | -use rustls_rustcrypto::provider as rustcrypto_provider; |
7 | | - |
8 | | -mod fake_time; |
| 4 | +use fake_cert_server_resolver::FakeServerCertResolver; |
9 | 5 | use fake_time::FakeTime; |
10 | | - |
11 | | -mod fake_cert_server_verifier; |
12 | | -use fake_cert_server_verifier::FakeServerCertVerifier; |
13 | | - |
14 | | -mod fake_cert_client_verifier; |
15 | | -use fake_cert_client_verifier::FakeClientCertVerifier; |
| 6 | +use itertools::iproduct; |
| 7 | +use mem_socket::MemorySocket; |
| 8 | +use rustls::crypto::CryptoProvider; |
| 9 | +use rustls::{ |
| 10 | + ClientConfig as RusTlsClientConfig, RootCertStore, ServerConfig as RusTlsServerConfig, |
| 11 | +}; |
| 12 | +use rustls_rustcrypto::{Provider, provider as rustcrypto_provider, verify}; |
16 | 13 |
|
17 | 14 | mod fake_cert_server_resolver; |
18 | | -use fake_cert_server_resolver::FakeServerCertResolver; |
| 15 | +mod fake_time; |
19 | 16 |
|
20 | | -// Test integration between rustls and rustls in Client builder context |
21 | | -#[test] |
22 | | -fn integrate_client_builder_with_details_fake() { |
23 | | - let provider = rustcrypto_provider(); |
24 | | - let time_provider = FakeTime {}; |
| 17 | +static SERVER_RESOLVER: OnceLock<Arc<FakeServerCertResolver>> = OnceLock::new(); |
25 | 18 |
|
26 | | - let fake_server_cert_verifier = FakeServerCertVerifier {}; |
| 19 | +fn make_client_config(provider: CryptoProvider) -> RusTlsClientConfig { |
| 20 | + let resolver = SERVER_RESOLVER.get_or_init(|| Arc::new(FakeServerCertResolver::new())); |
| 21 | + let mut store = RootCertStore::empty(); |
27 | 22 |
|
28 | | - let builder_init = |
29 | | - RusTlsClientConfig::builder_with_details(Arc::new(provider), Arc::new(time_provider)); |
| 23 | + store.add(resolver.rsa_root_cert()).unwrap(); |
| 24 | + store.add(resolver.ecdsa_root_cert()).unwrap(); |
30 | 25 |
|
31 | | - let builder_default_versions = builder_init |
| 26 | + RusTlsClientConfig::builder_with_details(Arc::new(provider), Arc::new(FakeTime {})) |
32 | 27 | .with_safe_default_protocol_versions() |
33 | | - .expect("Default protocol versions error?"); |
| 28 | + .expect("Default protocol versions error?") |
| 29 | + .with_root_certificates(store) |
| 30 | + // .dangerous() |
| 31 | + // .with_custom_certificate_verifier(Arc::new(FakeServerCertVerifier {})) |
| 32 | + .with_no_client_auth() |
| 33 | +} |
34 | 34 |
|
35 | | - let dangerous_verifier = builder_default_versions |
36 | | - .dangerous() |
37 | | - .with_custom_certificate_verifier(Arc::new(fake_server_cert_verifier)); |
| 35 | +fn make_server_config(provider: CryptoProvider) -> RusTlsServerConfig { |
| 36 | + let resolver = SERVER_RESOLVER |
| 37 | + .get_or_init(|| Arc::new(FakeServerCertResolver::new())) |
| 38 | + .clone(); |
| 39 | + RusTlsServerConfig::builder_with_details(Arc::new(provider), Arc::new(FakeTime {})) |
| 40 | + .with_safe_default_protocol_versions() |
| 41 | + .expect("Default protocol versions error?") |
| 42 | + .with_no_client_auth() |
| 43 | + .with_cert_resolver(resolver) |
| 44 | +} |
38 | 45 |
|
| 46 | +// Test integration between rustls and rustls in Client builder context |
| 47 | +#[test] |
| 48 | +fn integrate_client_builder_with_details_fake() { |
39 | 49 | // Out of scope |
40 | | - let rustls_client_config = dangerous_verifier.with_no_client_auth(); |
| 50 | + let rustls_client_config = make_client_config(rustcrypto_provider()); |
41 | 51 |
|
42 | 52 | // RustCrypto is not fips |
43 | 53 | assert!(!rustls_client_config.fips()); |
44 | 54 | } |
45 | 55 |
|
46 | | -use rustls::DistinguishedName; |
47 | | - |
48 | 56 | // Test integration between rustls and rustls in Server builder context |
49 | 57 | #[test] |
50 | 58 | fn integrate_server_builder_with_details_fake() { |
51 | | - let provider = rustcrypto_provider(); |
52 | | - let time_provider = FakeTime {}; |
53 | | - |
54 | | - let builder_init = |
55 | | - RusTlsServerConfig::builder_with_details(Arc::new(provider), Arc::new(time_provider)); |
56 | | - |
57 | | - let builder_default_versions = builder_init |
58 | | - .with_safe_default_protocol_versions() |
59 | | - .expect("Default protocol versions error?"); |
60 | | - |
61 | | - // A DistinguishedName is a Vec<u8> wrapped in internal types. |
62 | | - // DER or BER encoded Subject field from RFC 5280 for a single certificate. |
63 | | - // The Subject field is encoded as an RFC 5280 Name |
64 | | - //let b_wrap_in: &[u8] = b""; // TODO: should have constant somewhere |
65 | | - |
66 | | - let dummy_entry: &[u8] = b""; |
67 | | - |
68 | | - let client_dn = [DistinguishedName::in_sequence(dummy_entry)]; |
69 | | - |
70 | | - let client_cert_verifier = FakeClientCertVerifier { dn: client_dn }; |
| 59 | + let rustls_server_config = make_server_config(rustcrypto_provider()); |
71 | 60 |
|
72 | | - let dangerous_verifier = |
73 | | - builder_default_versions.with_client_cert_verifier(Arc::new(client_cert_verifier)); |
| 61 | + // RustCrypto is not fips |
| 62 | + assert!(!rustls_server_config.fips()); |
| 63 | +} |
74 | 64 |
|
75 | | - let server_cert_resolver = FakeServerCertResolver {}; |
| 65 | +const CLIENT_MAGIC: &[u8; 18] = b"Hello from Client!"; |
| 66 | +const SERVER_MAGIC: &[u8; 18] = b"Hello from Server!"; |
76 | 67 |
|
77 | | - // Out of scope |
78 | | - let rustls_client_config = |
79 | | - dangerous_verifier.with_cert_resolver(Arc::new(server_cert_resolver)); |
| 68 | +// Test integration |
| 69 | +#[test] |
| 70 | +fn test_basic_round_trip() { |
| 71 | + std::thread::scope(move |s| { |
| 72 | + for provider in generate_providers() { |
| 73 | + let base_name = format!( |
| 74 | + "{:?}-{:?}", |
| 75 | + provider.cipher_suites[0], provider.kx_groups[0] |
| 76 | + ); |
| 77 | + println!("Testing with {base_name}"); |
| 78 | + // Creates a pair of sockets that interconnect from client to server, and server to client |
| 79 | + let (socket_c2s, socket_s2c) = MemorySocket::new_pair(); |
| 80 | + |
| 81 | + let mut random_data: [u8; 64 * 1024] = [0; 64 * 1024]; |
| 82 | + |
| 83 | + getrandom::fill(&mut random_data).unwrap(); |
| 84 | + |
| 85 | + std::thread::Builder::new() |
| 86 | + .name(format!("{base_name}-server")) |
| 87 | + .spawn_scoped(s, { |
| 88 | + let provider: CryptoProvider = provider.clone(); |
| 89 | + move || { |
| 90 | + let config = Arc::new(make_server_config(provider)); |
| 91 | + let mut stream = socket_s2c; |
| 92 | + let mut conn = rustls::ServerConnection::new(config.clone()) |
| 93 | + .expect("failed to create server config"); |
| 94 | + |
| 95 | + let mut tls = rustls::Stream::new(&mut conn, &mut stream); |
| 96 | + |
| 97 | + { |
| 98 | + let mut buf = [0; CLIENT_MAGIC.len()]; |
| 99 | + tls.read_exact(&mut buf).unwrap(); |
| 100 | + assert_eq!(&buf, CLIENT_MAGIC); |
| 101 | + } |
| 102 | + |
| 103 | + tls.write_all(SERVER_MAGIC) |
| 104 | + .expect("failed to write to client"); |
| 105 | + tls.write_all(&random_data) |
| 106 | + .expect("failed to write random data to client"); |
| 107 | + tls.conn.send_close_notify(); |
| 108 | + tls.flush().expect("failed to flush connection"); |
| 109 | + } |
| 110 | + }) |
| 111 | + .unwrap(); |
| 112 | + |
| 113 | + std::thread::Builder::new() |
| 114 | + .name(format!("{base_name}-client")) |
| 115 | + .spawn_scoped(s, move || { |
| 116 | + let mut sock = socket_c2s; |
| 117 | + let server_name = "acme.com".try_into().expect("failed to get server name"); |
| 118 | + let mut conn = rustls::ClientConnection::new( |
| 119 | + Arc::new(make_client_config(provider)), |
| 120 | + server_name, |
| 121 | + ) |
| 122 | + .expect("failed to create client config"); |
| 123 | + let mut tls = rustls::Stream::new(&mut conn, &mut sock); |
| 124 | + tls.write_all(CLIENT_MAGIC) |
| 125 | + .expect("failed to write to server"); |
| 126 | + |
| 127 | + { |
| 128 | + let mut buf = [0; SERVER_MAGIC.len()]; |
| 129 | + tls.read_exact(&mut buf) |
| 130 | + .expect("failed to read from server"); |
| 131 | + assert_eq!(&buf, SERVER_MAGIC); |
| 132 | + } |
| 133 | + |
| 134 | + { |
| 135 | + let mut plaintext = Vec::new(); |
| 136 | + tls.write_all(&random_data) |
| 137 | + .expect("failed to write random data to server"); |
| 138 | + tls.read_to_end(&mut plaintext) |
| 139 | + .expect("failed to read from server"); |
| 140 | + assert_eq!(plaintext, random_data); |
| 141 | + } |
| 142 | + }) |
| 143 | + .unwrap(); |
| 144 | + } |
| 145 | + }); |
| 146 | +} |
80 | 147 |
|
81 | | - // RustCrypto is not fips |
82 | | - assert!(!rustls_client_config.fips()); |
| 148 | +fn generate_providers() -> impl Iterator<Item = CryptoProvider> { |
| 149 | + let CryptoProvider { |
| 150 | + cipher_suites, |
| 151 | + kx_groups, |
| 152 | + .. |
| 153 | + } = rustcrypto_provider(); |
| 154 | + |
| 155 | + iproduct!(cipher_suites, kx_groups).map(|(cipher_suite, kx_group)| CryptoProvider { |
| 156 | + cipher_suites: vec![cipher_suite], |
| 157 | + kx_groups: vec![kx_group], |
| 158 | + signature_verification_algorithms: verify::ALGORITHMS, |
| 159 | + secure_random: &Provider, |
| 160 | + key_provider: &Provider, |
| 161 | + }) |
83 | 162 | } |
| 163 | + |
| 164 | +mod mem_socket; |
0 commit comments